Cyber Essentials scope definition is the decision about which systems, devices, and services will be included in your assessment. It is the first technical decision in the certification process and the one that most affects whether your assessment proceeds cleanly or surfaces gaps that require remediation before a certificate can be issued. Getting it right before the questionnaire is completed is substantially less expensive than discovering a scope error during a Cyber Essentials Plus technical verification.
What Does Cyber Essentials Scope Cover?
The scope of a Cyber Essentials assessment covers the systems and infrastructure that your organisation wants to certify. For many organisations this means the entire IT estate. For others, particularly those with complex or multi-site infrastructure, it is possible to define a boundary that includes a specific subset of systems. Regardless of how the boundary is drawn, the scheme requires that the scope includes all devices used to access in-scope services and data. This is where cloud services can create complications. If your staff use personal devices to access cloud services that are in scope, those devices fall within the assessment boundary unless you have implemented controls that prevent unmanaged device access.
What Must Be Included in Scope?
The Cyber Essentials certification scheme includes specific requirements about what cannot be excluded. Internet-facing services and the devices that access them must be in scope. Cloud services used by the organisation must be assessed, with the responsibility for each control split between the cloud provider and the organisation based on the service model. Infrastructure-as-a-service environments require more direct control by the customer than software-as-a-service platforms, where the provider carries more of the responsibility for underlying security configuration.
User devices including laptops, desktops, and mobile devices that access in-scope services must be included. Thin clients, virtual desktops, and devices used exclusively for development or testing have their own treatment under the scheme. Each category needs to be assessed against the relevant control requirements, not assumed to be out of scope because it is a different device type.
Where Scope Definition Goes Wrong
The most common scope errors fall into a few categories. The first is under-scoping: excluding systems or devices that should be included. This typically happens when an organisation defines its scope based on what it manages directly and omits cloud services, contractor-provided devices, or remote access infrastructure that technically meets the inclusion criteria. An under-scoped assessment produces a certificate that does not accurately describe the organisation’s security posture, which creates risk if a breach occurs in the excluded area.
The second is over-scoping: including systems that create unnecessary assessment burden without adding meaningful coverage. Large organisations with clearly separated networks sometimes include infrastructure that has no connection to the services their certification is meant to cover. Over-scoping does not invalidate the assessment, but it increases the remediation work required before the assessment can be completed and adds cost to the annual renewal cycle.
A third category is scope drift: the scope defined at the time of the original assessment becomes inaccurate before the renewal. New cloud services are adopted, devices are added, staff access patterns change. An assessment conducted against a scope that no longer matches the organisation’s actual infrastructure produces findings that reflect the gap between the documentation and reality. Organisations that identify scope drift before renewal typically close the gap within a single advisory session. Those that encounter it during the Plus technical verification face remediation under deadline pressure.
How to Define Your Scope Correctly
The starting point is a current inventory of the systems and services your organisation uses, including cloud platforms, remote access tools, and the devices your staff use to access them. From that inventory, your scope boundary is drawn around the services and systems that need to be certified, and then the devices and access paths that touch that boundary are identified.
For organisations with a simple IT estate, this is a straightforward exercise. For organisations with a mix of managed and unmanaged devices, multiple cloud providers, or significant remote working infrastructure, the scope decision requires judgment about where the boundary sits and how each category of system is treated.
The scope document produced before the assessment begins should describe the boundary clearly enough that an assessor reviewing it can determine whether a given device or service is included or excluded without ambiguity. If the boundary is unclear in the document, it will be unclear to the assessor.
If you are new to the Cyber Essentials scheme and want to understand the full certification process before working through scope, start with our introduction to Cyber Essentials and the guide to choosing between Cyber Essentials and Cyber Essentials Plus.
How Carbide Handles Scope Definition
Carbide advisors work through scope definition at the start of every Cyber Essentials engagement. The process begins with a review of your IT estate, identifies the cloud services and device categories that require attention, and produces a scope boundary that accurately reflects your environment before the questionnaire is completed,
The Carbide platform tracks your controls and evidence against the scheme requirements throughout the year, so your renewal is not a rebuild from scratch. Your advisor reviews the current state of your program before each assessment begins and identifies any gaps that need to close before the questionnaire is submitted. Talk to our team.
Share
